1. Field of the Invention
The present invention relates generally to network security, and more particularly, to systems and methods for providing proxy firewall services.
2. Discussion of the Related Art
Firewalls are an essential ingredient in a corporate entity's network security plan. Firewalls represent a security enforcement point that separates a trusted network from an untrusted network. FIG. 1 illustrates a generic example of a network security plan that incorporates a firewall system. In this generic example, firewall system 120 is operative to screen all connections between private network 110 and untrusted system 140. These connections are facilitated by Internet network 130. In the screening process, firewall system 120 determines which traffic should be allowed and which traffic should be disallowed based on a predetermined security policy.
One type of firewall system is an application-level gateway or proxy server, which acts as a relay of application-level traffic. Proxy servers tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the transmission control protocol (TCP) and Internet protocol (IP) level, the proxy server need only scrutinize a few allowable applications (e.g., Telnet, file transfer protocol (FTP), simple mail transfer protocol (SMTP), hypertext transfer protocol (HTTP), etc.). Generally, if the proxy server does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the proxy server can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features.
Application-level firewall proxies are fragile, and are growing ever more complex. Current applications and services require increased firewall system resources. As a corporation's computer system and usage expands, the demand for through-put and the consumption of system resources by the firewall proxies become critical factors in the operation of the firewall.
Some proposed solutions to handle an increase in through-put demand or resource consumption are software-based solutions. One example of a software-based solution is to increase the number of proxy instances at the firewall. Another example is to increase the number of simultaneous connections allowed via proxy configuration attributes. These solutions are limited by the capacity of the existing hardware.
Other proposed solutions are hardware based. In one hardware based solution, the properties and characteristics of the hardware of the firewall host, such as capacity, memory, processor speed, etc, are increased. Another solution is to deploy load balancing hardware in front of the firewall that load balances traffic at the IP layer. This hardware is then subsequently configured to balance the load between firewall hosts. These hardware solutions typically require a re-installation and re-configuration of the firewall and network topology, a process which is time consuming and expensive.
As can be appreciated, conventional proposed solutions are limited in their ability to address the needs related to the ever-increasing through-put demand and resource consumption at firewall systems. What is needed therefore is a mechanism for enabling flexible scalability in the capacity of proxy firewall services without interrupting the operation of the firewall.